How ID can move out of the wallet and onto the smartphone

By Stephanie Kanowitz

May 11, 2016

Now that we’re all comfortable with smartphones (read: can’t live without them), companies are making it easy for us to pay for items with a device already in our hands. It’s no surprise, then, that the next item to move out of the wallet and onto the smartphone might be a digital ID.

HID Global’s goID platform lets government agencies issue credentials such as driver’s licenses, passports and other documents over the air to users’ smartphones. A reader, which can be another smartphone or tablet used by airport security, a shop owner or a police officer, receives the credentials after a user pushes a button on the phone to allow the data transfer. The amount of information shared depends on how the receiving device, or reader, is set up. A law enforcement officer, for instance, would get more data than, say, a bouncer at a bar verifying that someone is older than 21.

It’s a machine-to-machine verification, and the accessibility rules are set in the protocol and in the app that resides on the verifying party’s side.

The app provides more than an image of an ID card. If you “walk into a shop and show [the vendor] a photo of your credit card on your phone, you’d be quite unlikely to leave the shop with the thing you’re trying to buy,” said Rob Haslam, vice president and managing director of the government ID business at HID Global. “Having your credit card on your smartphone today means essentially putting the credit card’s functionality onto your phone. ... It’s the same for ID.”

Although no governments are yet using goID, Haslam envisions it working like this: People could apply for a digital ID virtually, through a Department of Motor Vehicles app, for example. “You would then enter your details from your physical document, which now proves that you have the document in your possession,” he said. If agencies issuing the credential want additional authentication, “they may want you to submit a selfie, which they could use for facial recognition.”

The data submitted would be vetted -- likely through an automated process -- and the issuing agency would invite users to download the virtual identity, via a notification that includes a one-time password. After entering the password, which confirms for the issuing agency that the information is going to the right person, the ID can be downloaded. “You’d be forced to have it on only one device, the same way you have the one physical credential,” Haslam said.

The technology goID uses is called Seos, and that’s where the authorization comes in. “You don’t show your phone to the verifying party. They ask you to release your ID,” he said. When users approve that request, the data travels to the requesting device via near-field communication (NFC) or Bluetooth -- but only the data relevant to the requesting app. A car rental business, for example, could request data verifying both age and a current driver’s license, while a wine shop could confirm only that a buyer was of age.

Because it works with NFC and Bluetooth, goID is available even when the phone is not connected to Wi-Fi. When it is connected to Wi-Fi, however, the information comes from a server in the cloud, not from the phone itself.

The information is cryptographically secure end-to-end and protected from man-in-the-middle attacks, Haslam said. It does not reside on a SIM card. Additionally, the ID is edit- and tamper-proof because the data sits behind firewalls. “In the same way that you shouldn’t be able to get into your physical card and change the date, you can’t get into the information in your phone, in your ID,” he added.

If a phone is lost or replaced, the user reports it to the issuing agency, which remotely wipes the ID. Then the user reapplies for a new ID.

For issuing agencies, such as a DMV, little technology would need to be added to make goID work because the backend vetting has already happened through established databases and biometrics-collection processes. “What we’re offering is a relatively light, minimal overlay … essentially over and above what government agencies have. All they need is an interface to what we provide,” Haslam said.

The company will soon start a pilot test of goID abroad. So far, it’s not being implemented in the United States, but there is interest in digital IDs here. For instance, Illinois and Louisiana are looking into phone-based driver’s licenses, and the Iowa Department of Transportation has tested mobile driver’s license software with identity services company MorphoTrust USA.

Widespread adoption might not be in the immediate offing, but digital IDs would help government agencies become more efficient, Haslam said.

“We’re not saying that we see the physical license going away,” he said. “But it would certainly cut down on paperwork and manual processes.”

inside gcn

Reader Comments

Thu, May 12, 2016
Derek H

They can't keep tax records or veterans records safe but want us to trust a digital electronic ID? Really? A firewall doesn't protect against bad actors like Snowden or Manning. No thanks, not everything needs to go on my phone.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.